Existing vulnerability detection approaches operate primarily at the package or library level, failing to pinpoint vulnerable functions precisely; moreover, patch-based identification is often confounded by irrelevant code changes. Method: We propose FuncVul, the first fine-grained, function-level vulnerability detector for C/C++ and Python. FuncVul models code at the code-block granularity—not entire functions—leverages GraphCodeBERT to jointly encode syntactic and semantic features, and employs large language models to automatically generate high-quality vulnerability labels. We further construct a code-block-level benchmark dataset covering six vulnerability categories. Results: FuncVul achieves 87–92% accuracy and 86–92% F1-score across multiple datasets—outperforming whole-function baselines by +53.9% in accuracy and +42.0% in F1-score. This advancement significantly improves auditability and patchability in open-source software supply chains.

Software supply chain vulnerabilities arise when attackers exploit weaknesses by injecting vulnerable code into widely used packages or libraries within software repositories. While most existing approaches focus on identifying vulnerable packages or libraries, they often overlook the specific functions responsible for these vulnerabilities. Pinpointing vulnerable functions within packages or libraries is critical, as it can significantly reduce the risks associated with using open-source software. Identifying vulnerable patches is challenging because developers often submit code changes that are unrelated to vulnerability fixes. To address this issue, this paper introduces FuncVul, an innovative code chunk-based model for function-level vulnerability detection in C/C++ and Python, designed to identify multiple vulnerabilities within a function by focusing on smaller, critical code segments. To assess the model's effectiveness, we construct six code and generic code chunk based datasets using two approaches: (1) integrating patch information with large language models to label vulnerable samples and (2) leveraging large language models alone to detect vulnerabilities in function-level code. To design FuncVul vulnerability model, we utilise GraphCodeBERT fine tune model that captures both the syntactic and semantic aspects of code. Experimental results show that FuncVul outperforms existing state-of-the-art models, achieving an average accuracy of 87-92% and an F1 score of 86-92% across all datasets. Furthermore, we have demonstrated that our code-chunk-based FuncVul model improves 53.9% accuracy and 42.0% F1-score than the full function-based vulnerability prediction. The FuncVul code and datasets are publicly available on GitHub at https://github.com/sajalhalder/FuncVul.